What connects these names: Exxon-Valdez, Enron, Erin Brockovic and Halliburton? You’ve likely heard of them. They all became household names because of massive class action lawsuits – civil cases brought against companies by large numbers of claimants.

Usually, these are the sorts of legal stories that journalists like to cover. They have recognisable characters – plucky underdogs and evil corporations – and clear stakes. They make for good reading. But so far, coverage of the enormous impact of the General Data Protection Regulation (GDPR) has sidestepped this storyline.

The GDPR is an EU-wide change of law which comes into effect on May 25th 2018. It is the most comprehensive data protection law ever passed. The consequences of this have been framed in terms of massive corporations who face government-levied fines – fines so large that no headline writer is able to resist them: millions of dollars, or percentages of global revenue.

The big names

Facebook and Google are the totems of the data economy. They offer a myriad of free services to the general public and, in exchange, collect massive quantities of information on their users. As a result, they have virtually cannibalized digital advertising. Google and Facebook account for about half of worldwide spending on digital advertising, which is a rapidly growing pot. In 2016, new spending in the US alone was worth $12 billion – 77% of that went to the duopoly.

User data has propelled Facebook and Google to dizzying heights of profitability, power, and reach. Their grip on the digital economy is getting tighter and tighter, even as the overall size of the market expands. They cast an enormous shadow, and the introduction of the GDPR has been framed in relation to that shadow. It is a narrative of governments taking on some of the largest companies in the world, all in the name of privacy.

It is also just one part of a wider narrative. The tech giants have managed to create unlikely political allies of Bernie Sanders, Steve Bannon and Tucker Carlson – who all suggest the tech giants be treated as ‘public utilities’. In August, Buzzfeed Editor-in-Chief compared them to “oil prospectors and junk-bond traders,” ripe for a fall. In the EU, Facebook, Google, and Whatsapp have been censured, fined, or sued – all this year.

From Brussels to Washington, politicians and regulators are taking aim at US tech giants. With all that going on, it is easy to forget that they are far from the only companies impacted. But with two huge targets to aim at, government regulators are uninterested in going after the thousands of smaller companies monetizing user data.

Protecting the people

It is also easy to forget the protection of EU citizens (i.e. the ostensible aim of the GDPR). Ordinary citizens are depicted as passive bystanders, hoping against hope their governments can protect them.

The GDPR is an extension of the previous European data protection regulation regime. It takes into account precedent-setting European Court of Justice rulings, most notably the Right To Be Forgotten case of 2014 and the Safe Harbour decision of 2015.

Any company collecting, storing, or using the personal data of EU citizens is impacted, whether or not they are based within the region. That’s vital: data flows are not bound by national borders, contracts, or terms of use – people’s data is a commodity, bought and sold between companies without them ever knowing.

EU citizens are set to become empowered by the GDPR. They are given scope to bring civil cases regarding the misuse of their data, regardless of who has misused it or where they are based. Data protection cases generally involve companies committing one of two types of breach: first, activities using personal data in an inappropriate manner; second, failing to properly protect and minimise personal data.

Many of us sign over our data to get access to a digital service – like those sites that ask you to link your Facebook account to sign up. Companies then take that data and combine it with other sources – often as part of unseen agreements and partnerships – to better target users for ads. Think of all those geographically targeted ads for specific services in your area, aimed at your demographic, bolstered by your search history. When you signed up, you agreed to share personal data with one company, not every company they make deals with. According to White & Black Legal, “there may be thousands (or even millions) of individuals in different [EU] Member States affected” by data protection breaches now covered by the GDPR.

Comprehensive approach

Privacy experts know that dozens of law firms are planning on setting up offices in Brussels, ready for the wave of civil cases likely to result from the adoption of the GDPR. This means that tech giants won’t only face opposition from governments – and it’s much harder to lobby public opinion. It also means tech giants aren’t the only ones who have to worry about new and better regulations.

Governments want to take on the largest companies. The fines are more significant and the public will give them more credit for taking on the big guys. But that means that small companies working in the data economy know they can muddle through without much attention.

If data protection is all about governments pegging back tech giants, the actual protection of citizens is limited. All your personal data going to other companies will still be used, without consent. Life wouldn’t actually change that much. Citizens would remain on the outside looking in, hoping their government catches each and every breach of their personal data.

Civil cases change that, and there is enormous appetite for them. Both Safe Harbour and the Right To Be Forgotten were cases brought by individuals to the European Court of Justice, at considerable expense and effort to the plaintiffs.

Class action cases make it easier for citizens to defend themselves. They can join an ongoing case brought about by activists, broadening the pool. Even the threat of it forces more companies to be diligent and prepared for the GDPR. Ultimately, the bottom-up civil process will make implementation of data protection wider, deeper, and more thorough. It’s about time that became part of the story of the GDPR.

About the author

ROWAN EMSLIE is a writer and editor focused on politics and tech. He co-hosts Connected & Disaffected, a podcast about the future of politics. He has been published in outlets such as VICE, CS Monitor and EurActiv.